The Care.data programme still lives on – albeit not with the same name, and as the NHS has made clear it will be using resources that it put into this project up until now for future data-sharing initiatives.
The scheme was launched in a bid to allow primary care data from GP practices to be shared with the Health and Social Care Information Centre (HSCIC) and clinical care groups (CCGs), and eventually matched with secondary care data, anonymised and shared with researchers.
But there was controversy over who the NHS will exactly be sharing the data with, and how it would be notifying patients of this. Privacy campaigners insisted that there should be an opt-out for patients – but the NHS managed to make a mess of this too, with a £1m leaflet campaign which failed to raise awareness, and many patients who had opted-out still having their data shared.
Several years ago, an internal review by the NHS information centre (NHS IC) found that it made “significant lapses” in recording the release of data to private companies between 2005 and 2012.
Within that period, 588 data releases were made to 178 private-sector organisations which didn’t include charities, for the alleged purpose of “analytics, benchmarking and research”.
Just ahead of the report, dubbed the ‘Data Release Review’ being published, the NHS information centre was renamed the Health and Social Care Information Centre (HSCIC). Care.data was subsequently launched by NHS England, and was run by HSCIC. Now that Care.data has been dropped – you guessed it – HSCIC has been renamed NHS Digital. It seems as if the toxic brand associated with Care.data also transferred over to HSCIC. The reason for changing its name twice? To dissolve any responsibility of sharing data with private companies, and start fresh.
So what should the NHS do now?
What is clear is that the NHS hasn’t been transparent through the whole Care.data process. Merely moving away from the brand name of Care.data and working on a project behind the scenes is likely to cause even more controversy and ill-feeling if and when details leak about any such project. The NHS should have learnt from its mistakes of the Care.data programme, and it should work with privacy campaigners to ensure everything it is doing is in the interests of patients. There is no doubt that the NHS needs to improve the way it shares data, because this will in-turn improve the health service, and benefit its patients. However, patients need to know what data is being shared and who it is being shared with, and they should have the option to opt-out.
This means the NHS needs to make every patient aware of the project or projects, and of their choices. In order to do that, it must simplify the wording of the opt-outs; most of the material that the NHS has on its Type-1 and Type-2 opt-outs is overly complicated. The opt-outs should be made electronically, and as once suggested by @Marcus_Baw, they should look more like this:
Dame Fiona Caldicott proposed a new opt-out mechanism based on either a single question or two linked questions, but she failed to indicate a favourable option which has delayed any new programme further. This delay has an impact on the health service; the NHS needs a model to be able to share data, and it needs its patients on board. It needs to act swiftly, so that UK citizens – and not private companies – can start reaping the rewards.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Why should opt-outs have to be made electronically ? Forcing those who may not feel comfortable with the internet have to use it. If we consider the specific process for opting out or indeed asking any organization for data it holds. In the first instance the person making the request has to identify themselves. By this very fact they are providing some Personally Identifiable Information (PII). Certainly in the latter case handing over some information that the organization may not have had in the first instance. The question is then, if a person identifies themselves to opt-out or have confirmation of data held about themselves, does that mean the person's name, address and date of birth can 'legally' be retained by the organization to which the request is sent ? By the very fact that the person has to send their PII to complete the process, is this considered 'consent' ?